Puppet Enterprise + firewall = pain.

I’ve been tasked with setting up puppet enterprise. For numerous reasons it’s shaping up to be the project from hell (some the fault of puppet, but many that aren’t), but I’d like to share this little tidbit for posterity.

The main issue I’ve run into is that our puppet server is in a highly restricted vlan with no internet access. Since puppet pulls its modules from puppetforge, this becomes problematic. The solution we came up with is to explicitly state the git repo to use for each module in the Puppetfile.

Problem 1: Naming conventions.

I can’t keep 100% fidelity on the projectnames when we migrate them over- for the puppetmodule KyleAnderson/consul, I don’t want to create a KyleAnderson user, so I have to mangle it to merge the user and project name together (since project names alone may not be unique; e.g. if bob/ntp wrote his module for windows and kevin/ntp wrote his module for linux, we can’t just call either puppet/ntp or we’ll get a collision.

In order to do this, we needed to get the git repo for each and mirror it. Well, that was the intent.

Problem 2: Names don’t match

KyleAnderson/consul does not exist on github. After manually searching the forge, I see his URL is actually solarkennedy/consul. So this means we need to get the project URL for each module to be able to clone the git repo. After much experimentation with puppet help module, I realized I can search for the module name, export as yaml and grep out the project name. I end up using the following command to check out the 51 modules I need:

Problem 7: The control Repo changed!

Between originally checking this out 3 weeks ago and now, they have gutted and rebuilt the example I was using. The rationale makes total sense (it was over-opinionated previously), but now the new version is incomplete, so I’m left twisting in the wind.

I have a call with our puppet reps scheduled shortly and will pick up there.